Is it possible to detect 100% of SQLi with a simple regex?Getting a SQL injection past a given regexWhich...
Identical projects by students at two different colleges: still plagiarism?
How can guns be countered by melee combat without raw-ability or exceptional explanations?
What does an unprocessed RAW file look like?
What does "don't have a baby" imply or mean in this sentence?
Ramanujan's radical and how we define an infinite nested radical
Is opening a file faster than reading variable content?
Why is ra lower than re while la is higher than le?
Will linear voltage regulator step up current?
How to know if I am a 'Real Developer'
Sauna: Wood does not feel so hot
STM32 PWM problem
How do I handle a blinded enemy which wants to attack someone it's sure is there?
80-bit collision resistence because of 80-bit x87 registers?
I hate taking lectures, can I still survive in academia?
How can I differentiate duration vs starting time
How to achieve physical gender equality?
What did Putin say about a US deep state in his state-of-the-nation speech; what has he said in the past?
What is formjacking?
Coworker is trying to get me to sign his petition to run for office. How to decline politely?
TikZ-Tree with asymmetric siblings
Found a major flaw in paper from home university – to which I would like to return
How to write painful torture scenes without being over-the-top
How to play songs that contain one guitar when we have two or more guitarists?
Define function that behaves almost identically to Mathematica function
Is it possible to detect 100% of SQLi with a simple regex?
Getting a SQL injection past a given regexWhich enterprise-class DBMS allow forbiddance of (No)SQL comments?Faster SQL injection preventionBeyond SQL injections and XSSDatabase table name prefixes and security by obscurityHow bad is allow edit a database field containing an sql from a form?Validate database column and table names to prevent SQLi?Is the hosting OS safe to sql injection hackers by hiding admin ID?SQLi with quote filter?Is single quote filtering nonsense?
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
asked yesterday
reedreed
2,7342724
|
show 8 more comments
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
asked yesterday
reedreed
2,7342724
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
6
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
15
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
9
If you're okay with some false positives, then this one will always catch all SQL injection:.*
– Duncan X Simpson
19 hours ago
5
You don't even need a regex, justreturn true. Pretty high false-positive rate though.
– Kevin
14 hours ago
|
show 8 more comments
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
asked yesterday
reedreed
2,7342724
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
sql-injection ids detection regex
asked yesterday
reedreed
2,7342724
asked yesterday
reedreed
2,7342724
edited yesterday
reed
asked yesterday
reedreed
2,7342724
asked yesterday
reedreed
2,7342724
asked yesterday
reedreed
2,7342724
2,7342724
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
6
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
15
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
9
If you're okay with some false positives, then this one will always catch all SQL injection:.*
– Duncan X Simpson
19 hours ago
5
You don't even need a regex, justreturn true. Pretty high false-positive rate though.
– Kevin
14 hours ago
|
show 8 more comments
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
6
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
15
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
9
If you're okay with some false positives, then this one will always catch all SQL injection:.*
– Duncan X Simpson
19 hours ago
5
You don't even need a regex, justreturn true. Pretty high false-positive rate though.
– Kevin
14 hours ago
4
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
6
6
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
15
15
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
9
9
If you're okay with some false positives, then this one will always catch all SQL injection:
.*– Duncan X Simpson
19 hours ago
If you're okay with some false positives, then this one will always catch all SQL injection:
.*– Duncan X Simpson
19 hours ago
5
5
You don't even need a regex, just
return true. Pretty high false-positive rate though.– Kevin
14 hours ago
You don't even need a regex, just
return true. Pretty high false-positive rate though.– Kevin
14 hours ago
|
show 8 more comments
5 Answers
5
active
oldest
votes
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.4k29170206
39
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
5
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
2
Also, this doesn't catch attacks that may disrupt the service, such as"; drop table users; --which, simply, deletes the (hypothetical) users' table. This is far more devastating. Or, just a simple"; update users set password="<known value>"; --.
– Ismael Miguel
22 hours ago
|
show 5 more comments
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,158314
12
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
3
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
10
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
15 hours ago
|
show 2 more comments
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4671411
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
yesterday
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
yesterday
|
show 5 more comments
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 22 hours ago
PhilippPhilipp
44.2k7112139
Parameterized queries are not "also known as" prepared statements. Parameterized queries are one form of a prepared statement, but not the only form. The two should not be conflated.
– dotancohen
1 hour ago
add a comment |
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered yesterday
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
yesterday
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
23 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
23 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
23 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
21 hours ago
|
show 5 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203843%2fis-it-possible-to-detect-100-of-sqli-with-a-simple-regex%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.4k29170206
39
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
5
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
2
Also, this doesn't catch attacks that may disrupt the service, such as"; drop table users; --which, simply, deletes the (hypothetical) users' table. This is far more devastating. Or, just a simple"; update users set password="<known value>"; --.
– Ismael Miguel
22 hours ago
|
show 5 more comments
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.4k29170206
39
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
5
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
2
Also, this doesn't catch attacks that may disrupt the service, such as"; drop table users; --which, simply, deletes the (hypothetical) users' table. This is far more devastating. Or, just a simple"; update users set password="<known value>"; --.
– Ismael Miguel
22 hours ago
|
show 5 more comments
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.4k29170206
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.4k29170206
answered yesterday
schroeder♦schroeder
76.4k29170206
answered yesterday
schroeder♦schroeder
76.4k29170206
answered yesterday
schroeder♦schroeder
76.4k29170206
76.4k29170206
39
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
5
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
2
Also, this doesn't catch attacks that may disrupt the service, such as"; drop table users; --which, simply, deletes the (hypothetical) users' table. This is far more devastating. Or, just a simple"; update users set password="<known value>"; --.
– Ismael Miguel
22 hours ago
|
show 5 more comments
39
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
5
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
2
Also, this doesn't catch attacks that may disrupt the service, such as"; drop table users; --which, simply, deletes the (hypothetical) users' table. This is far more devastating. Or, just a simple"; update users set password="<known value>"; --.
– Ismael Miguel
22 hours ago
39
39
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
5
5
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
2
2
Also, this doesn't catch attacks that may disrupt the service, such as
"; drop table users; -- which, simply, deletes the (hypothetical) users' table. This is far more devastating. Or, just a simple "; update users set password="<known value>"; --.– Ismael Miguel
22 hours ago
Also, this doesn't catch attacks that may disrupt the service, such as
"; drop table users; -- which, simply, deletes the (hypothetical) users' table. This is far more devastating. Or, just a simple "; update users set password="<known value>"; --.– Ismael Miguel
22 hours ago
|
show 5 more comments
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,158314
12
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
3
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
10
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
15 hours ago
|
show 2 more comments
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,158314
12
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
3
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
10
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
15 hours ago
|
show 2 more comments
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,158314
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,158314
edited yesterday
Joel Coehoorn
1,3571912
edited yesterday
Joel Coehoorn
1,3571912
edited yesterday
Joel Coehoorn
1,3571912
1,3571912
answered yesterday
SefaSefa
1,158314
answered yesterday
SefaSefa
1,158314
answered yesterday
SefaSefa
1,158314
1,158314
12
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
3
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
10
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
15 hours ago
|
show 2 more comments
12
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
3
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
10
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
15 hours ago
12
12
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
3
3
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
10
10
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
15 hours ago
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
15 hours ago
|
show 2 more comments
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4671411
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
yesterday
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
yesterday
|
show 5 more comments
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4671411
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
yesterday
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
yesterday
|
show 5 more comments
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4671411
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4671411
edited 13 hours ago
answered yesterday
Fake NameFake Name
4671411
answered yesterday
Fake NameFake Name
4671411
answered yesterday
Fake NameFake Name
4671411
4671411
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
yesterday
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
yesterday
|
show 5 more comments
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
yesterday
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
yesterday
9
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
yesterday
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
yesterday
1
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
yesterday
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
yesterday
|
show 5 more comments
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 22 hours ago
PhilippPhilipp
44.2k7112139
Parameterized queries are not "also known as" prepared statements. Parameterized queries are one form of a prepared statement, but not the only form. The two should not be conflated.
– dotancohen
1 hour ago
add a comment |
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 22 hours ago
PhilippPhilipp
44.2k7112139
Parameterized queries are not "also known as" prepared statements. Parameterized queries are one form of a prepared statement, but not the only form. The two should not be conflated.
– dotancohen
1 hour ago
add a comment |
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 22 hours ago
PhilippPhilipp
44.2k7112139
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 22 hours ago
PhilippPhilipp
44.2k7112139
edited 21 hours ago
answered 22 hours ago
PhilippPhilipp
44.2k7112139
answered 22 hours ago
PhilippPhilipp
44.2k7112139
answered 22 hours ago
PhilippPhilipp
44.2k7112139
44.2k7112139
Parameterized queries are not "also known as" prepared statements. Parameterized queries are one form of a prepared statement, but not the only form. The two should not be conflated.
– dotancohen
1 hour ago
add a comment |
Parameterized queries are not "also known as" prepared statements. Parameterized queries are one form of a prepared statement, but not the only form. The two should not be conflated.
– dotancohen
1 hour ago
Parameterized queries are not "also known as" prepared statements. Parameterized queries are one form of a prepared statement, but not the only form. The two should not be conflated.
– dotancohen
1 hour ago
Parameterized queries are not "also known as" prepared statements. Parameterized queries are one form of a prepared statement, but not the only form. The two should not be conflated.
– dotancohen
1 hour ago
add a comment |
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered yesterday
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
yesterday
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
23 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
23 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
23 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
21 hours ago
|
show 5 more comments
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered yesterday
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
yesterday
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
23 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
23 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
23 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
21 hours ago
|
show 5 more comments
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered yesterday
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered yesterday
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
luis.espinalluis.espinal
1094
answered yesterday
luis.espinalluis.espinal
1094
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
yesterday
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
23 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
23 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
23 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
21 hours ago
|
show 5 more comments
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
yesterday
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
23 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
23 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
23 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
21 hours ago
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
yesterday
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
yesterday
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
23 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
23 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture
SELECT x from y where either x or y are SQL SELECT statements themselves.– luis.espinal
23 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture
SELECT x from y where either x or y are SQL SELECT statements themselves.– luis.espinal
23 hours ago
1
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
23 hours ago
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
23 hours ago
3
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
21 hours ago
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
21 hours ago
|
show 5 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203843%2fis-it-possible-to-detect-100-of-sqli-with-a-simple-regex%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
6
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
15
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
9
If you're okay with some false positives, then this one will always catch all SQL injection:
.*– Duncan X Simpson
19 hours ago
5
You don't even need a regex, just
return true. Pretty high false-positive rate though.– Kevin
14 hours ago